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Abstract 

In this document, a privacy-preserving distributed profile matching 
protocol is proposed in a particular network context called mobile social 
network. Such networks are often deployed in more or less hostile en¬ 
vironments, requiring rigorous security mechanisms. In the same time, 
energy and computational resources are limited as these heterogeneous 
networks are frequently constituted by wireless components like tablets 
or mobile phones. This is why a new encryption algorithm having an 
high level of security while preserving resources is proposed in this paper. 
The approach is based on elliptic curve cryptography, more specifically 
on an almost completely homomorphic cryptosystem over a supersingular 
elliptic curve, leading to a secure and efficient preservation of privacy in 
distributed profile matching. 


1 Introduction 

Social networking websites, like Facebook [Sj with its 900 million active users 
or Google-|- [7j, are of widespread use in our connected and globalized world. 
A major trend of these social networks is to attempt to provide instant and 
real-time access to for users, whatever their location and the connected device 
they use. This sensible demand from users has led to the development of mobile 
social networking (MSN) software like Foursquare [5] and Gowalla [8], in which 
individuals with similar interests are connected together and converse with one 
another through either tablets or mobile phone. In that approach, mobile apps 
use existing social networks to create native communities and promote discovery, 
leading to an improvement of web-based social networks using mobile features 
and accessibility. Making new connections according to personal preferences 
is a crucial service in MSN, where the initiating user can find matching users 
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within physical proximity of him/her. In existing systems for such services, 
usually all the users directly publish their complete profiles for others to search. 
However, in many applications, the usersaAZ personal profiles may contain sen¬ 
sitive information that they do not want to make public. Authors of [TO] have 
presented FindU, a first privacy-preserving personal profile matching scheme, 
designed for mobile social networks. In FindU, an initiating user can find from 
a group of users the one whose profile best matches with his/her; to limit the 
risk of privacy exposure, only necessary and minimal information about the 
private attributes of the participating users is exchanged. They speak about a 
Blind and Permute (BP) protocol. Several increasing levels of user privacy are 
defined, with decreasing amounts of exchanged profile information. Authors of 
this document propose to use a different encryption scheme into the BP algo¬ 
rithm. This new scheme can provide a similar level of security while reducing 
drastically the computation and communication costs, which is critical in the 
MSN context. In BP algorithm, encryption over ciphertexts is required. The 
original method proposed in m achieves this requirement using a cryptosys¬ 
tem P2| that needs a lot of resources, which is quite incompatible with the 
constraints related to MSNs. Contrarily, the scheme proposed here is based on 
elliptic curve cryptography EE which leads to smaller keys and cryptograms, 
low cost computations and shorter communication messages, reducing largely 
by doing so the batteries consumptions. The remainder of this document is or¬ 
ganized as follows. In Section [51 related works in the field of privacy-preserving 
profile matching are proposed. Then, in Section [3] we give recall the FindU 
protocol with related definitions. We give the protocol BP in Section [I] We 
construct the homomorphism encryption in Section [5] and we use it in Section 
[6] with performance analysis in Section [7] Section [8] conclude this work. 


2 Related Works 

The methods used in the field of privacy-preserving distributed profile matching 
are usually classified into three main categories according to the cryptographic 
tools they use. In protocols based on oblivious polynomial evaluation , client 
and a server compute the intersection of the sets corresponding to their profiles, 
such that the client gets the result while server learns nothing. Homomor¬ 
phic encryption that allows operations over cipher texts is used to evaluate a 
polynomial that represents clientaAZs input obviously. This method has been 
originally proposed in [3], through the FNP scheme. Other examples lying in 
the same category can be found, for instance, in [5] and [5]. These methods 
are however impracticable in MSNs because they do not achieve linear com¬ 
putational complexity. Protocols based on oblivious pseudorandom functions 
consist of two parties that securely compute a pseudorandom function, where 
one of them holds the key while the other provides the input (set elements). 
The objective is a secure set intersection. Suppose two parties with private sets 
wish to learn the intersection set without revealing anything else. Let P\ and 
P 2 be two parties that have input X and Y respectively and F a pseudorandom 
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function, while k is a key for F belonging to P\. P 2 compute {Fk(y)}yeY and 
Pi compute {Fk(x)} xe x and send the results to P 2 . Thus, P 2 compare which 
elements appear in both sets to learn the intersection [2]. The complexity of 
this method is smaller than the first. The last category consists of protocols 
based on so-called commutative encryption. An encryption scheme Ek{ Au) 
is said to have the commutative property when, for all keys k\ and /c 2 , we 
have: Ey, (Ey 2 (x)) = Ek 2 (Ek 1 (x)). For instance, the well known RSA encryp¬ 
tion scheme has this commutative property. The main idea when considering 
privacy-preserving profile matching is thus to use the commutative encryption 
as a keyed one-way hash function, to generate a mapping for each element x 
such that no party knows the key [T]. A commonly related disadvantage of 
this method is that it often provide a weaker security [TO], Authors of [TD] have 
presented a privacy-preserving profile matching called FindU. FindU is a sym¬ 
metric protocol , i.e., the output is known at the same time by all parties. The 
characteristics of this scheme is further detailed in the next section. 


3 The FindU Protocol 

3.1 Problem Definition 

In mobile social networks, devices are wirelessly connected (using wireless in¬ 
terfaces such as bluetooth or wifi), thus resources are limited and a certain level 
of security is required. Authors of FindU algorithm suppose that the connexion 
is established under public key cryptosystem, where keys are distributed over 
parties securely. Then, when a party launches a matching, BP algorithm as¬ 
sure sharing a secret securely. Let us define these stages more precisely. The 
system consists of N users (parties) denoted as Pi,...,P/v, each possessing a 
portable device. We denote the initiation party (initiator) as P\. Pi launches 
the matching process and its goal is to find one party that best matches with 
it, from the rest of the parties P 2 ,Pn that are called candidates. Each party 
Pi s profile consists of a set of attributes Si, which can be strings up to a certain 
length. Pi defines a matching query to be a subset of Si (in the following we 
use Si to denote the query set unless specified). Also, we denote n = |Si| and 
m = | Si I,* > 1, assuming that each candidate has the same set length for the 
sake of simplicity. Let us now introduce the following definitions. 

Definition 1. The match of the set Si,i £ {2,aA §,N}, is by definition the 
cardinality of Si f) Si. 

Definition 2. The best match Pi* is defined as the party having the maximum 
intersection set size with Pi. 

Pi will first find out Pi* via the proposed protocol. Then they will decide 
whether to connect with other based on their actual intersection set. 
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3.2 Adversary Models 

If a party obtains one or more (partial or full) attribute sets without the explicit 
consents from these users, we said he has achieved an user profiling. In that 
context, the two following levels of security can be defined m- 

• Honest-but-Curious (HBC) adversary. In this model, the attacker 
tries to learn more information than what is allowed, by inferring from 
the results while honestly following the protocol. 

• Malicious adversary. The attacker tries here to learn more information 
than allowed by deviating from the protocol run. 

3.3 Design Goals 

Here we intend to develop the design goals of FindU scheme. One of the main 
goals is to defend against profiling attack defined in the previous section. We 
let the user choose his level of security requirement that we discuss in the next 
section. By definition, the party P± search among all parties the best that 
match with him, and at the end, the output of the algorithm will contain the 
intersection set between his set query at the profile set of all other parties. By 
launching FindU, and adversary may obtains all those informations. Thus, we 
let the user choose his privacy level. The main security goal is to thwart user 
profiling attack. Since the users may have different privacy requirement, and as 
it takes different amount of effort in protocol run to achieve them, we hereby 
define three levels of privacy where a higher level leaks less information to the 
adversary. Note that, by default, all of the following include letting P± and the 
best match Pi * learn the intersection set between them at the end of a protocol 
run. 

• Privacy level 1 (PL-1). When the protocol ends, P± and each candidate 
Pi, 1 < i < N, mutually learn the intersection set between them, that is, 
/-] j = S\ l~l Si. An adversary A should learn nothing beyond what can be 
derived from the above outputs and private inputs. 

If we assume the adversary has unbounded computing power, PL-1 ac¬ 
tually corresponds to unconditional security for all the parties under the 
HBC model . Obviously, in PL-1, Pi can obtain all candidates’ intersec¬ 
tion sets just in one protocol run, thus it reveals too much user information 
to the attacker, if he assume the role of Pl. 

Therefore we define privacy level 2 in the following. 

• Privacy level 2 (PL-2). When the protocol ends, Pi and each candidate 

Pj,l < i < N, mutually learn the size of their intersection set: = 

|Si fl Si\. In addition, the best match P*» is allowed to know m\^ values 
of other P^s. The adversary A should learn nothing beyond what can be 
derived from the above outputs and its private inputs. 

• Privacy level 3 (PL-3). At the end of the protocol, Pl and each Pi 
should only learn the ranks of each value miy, 1 < i < N. A should learn 
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nothing more than what can be derived from the outputs and its private 
inputs. 

In PL-3, we can require that P\ only contacts the best match , such 
that it only obtains the intersection set I\ : i with the best match. In this 
way, A will need at least N — l protocol runs to know all other user’s exact 
information, such that A’s profiling capability is much limited 

Authors of FindU suggest that the protocol should be lightweight and practical , 

i.e., being enough efficient in computation and communication to be used in 
MSN. This is why we suggest to introduce homomorphism encryption into the 
FindU protocol. Readers are referred to |T0] for a complete decryption of FindU. 
In order to achieve PL-2, authors introduce homomorphism encryption over 
cypher-text. For our part, to reduce largely the energy consumption, we suggest 
to use elliptic curve based encryption. The Blind and Permute Protocol (BP), 
part of the FindU system, is presented in the next section, whereas the proposed 
improvement is detailed in Section [5] 


4 Blind and Permute Protocol (BP) 

The input to BP protocol is a sequence S = (si,..., s n ) of integer values that is 
componentwise additively split between A who has S' = (s[,s' n ) and B who 
has S" = ( s ",..., s"), suchthatS = S' + S" [T2], where + stands for the vectorial 
addition of integers. The output is a sequence S obtained from S by: 

1. permuting the entries of S according to a random permutation it that is 
known to neither A nor U, 

2. modifying the additive split of the entries of S so that neither A nor B can 
use their share of it to gain any information about tt. We seek a protocol 
that does this in linear computation and communication complexity. 

Observe that it suffices to give a protocol that does half of the job: It blinds and 
permutes for A according to a random permutation chosen by B. Then we can 
use such protocol a second time with the roles A and B reversed, resulting in a 
permutation that is the composition of two random permutations: one chosen 
by B and unknown to A, another chosen by A and unknown to B. The protocol 
where B chooses the permutation is given next. 

1. A computes and sends Ea(s[), ..., EA(s' n ) to B (here E is the cryptosystem 
defined in m whose performance is compared to our scheme in section 

0 . 

2. B selects n random numbers ri,...,r n , and for every i £ 1, ...,n he com¬ 
putes EA(-ri) and multiplies it by the Ea (s') he received in the first step, 
thereby obtaining Ea (s' — r*). 

3. B generates a random permutation ttb and applies it to the sequence of 
Ea (s' — rj)’s computed in the previous step, obtaining a sequence of the 
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form Ea{v[), EA{v' n ) that he sends to A. He also applies ttb to the 
sequence s'{ + ri,s" + r n , obtaining a sequence u",..., v". Note that 
the sequence v{ + v", ...,v' n + v" is a permuted version of S (permuted 
according to ttb). 

4. A decrypts the n items Ea(v[), ... ,EA(v ' n ) received from B , obtaining the 
sequence v[,...,v' n . 

In the FindU algorithm (advanced version), BP permit achieving PL-2 level of 
security. 


5 Homomorphism Encryption 

We use elliptic curves based cryptography to construct homomorphism encryp¬ 
tion function. 


5.1 Operation over Elliptic Curves 

5.1.1 Addition and Multiplication 


Elliptic curve cryptography (ECC) is an approach to public-key cryptography 
based on the algebraic structure of elliptic curve over finite fields [T3] . Elliptic 
curves used in cryptography are typically defined over two types of finite fields: 
prime fields F p , where p is a large prime number, and binary extension fields 
F 2 ™ HU- In our paper, we focus on elliptic curves over F p . Let p > 3, then an 
elliptic curve over F p is defined by cubic equation y 2 = x 3 + ax + b as the set 

E = {(a;, y) £ F p x F p | y 2 = x 3 + ax + b (mod p)} 

where a, b £ F p are constants such that 4a 3 +276 2 ^ 0 ( modp ). An elliptic curve 
over F p consists of the set of all pairs of affine coordinates (x, y) for x, y £ F p 
that satisfy an equation of the above form and an infinity point O. The point 
addition and its special case, point doubling over E, is defined as follows (the 
arithmetic operations are defined in F p nsi)- Let P = (aq, yi) and Q = ( x 2 , 2 / 2 ) 
be two points of E. Then: 

p _|_ q = { 0 if x 2 = X! and y 2 = -yi, 

1 (* 3 , 2 / 3 ) otherwise. 

where: 

• X3 = A 2 — x\ — x 2 , 


• 2/3 = A x (aq - oq) - 2/1, 

» a = / ( y2 ~ yi ) x ( X2 - Xl ^~ l if P ^ Q’ 

\ (3x 2 + a) x (2y^ 1 if P = Q. 

Finally, we define P + Q = 0 + P=P : VP £ E, which leads to an abelian group 
(cr, +). The multiplication nx P means P + P + ... + P n times, and —P is the 
symmetric of P for the group law + defined above, for all P £ E. 
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5.1.2 Public/Private Keys Generation with ECC 

In this section we show how we can generate the public and private keys for 
encryption, following the cryptosystem proposed by Boneh et al. m- Let t > 0 
be an integer called “security parameteraAZaAZ. To generate public and private 
keys, first of all, two t — bits prime numbers must be computed. Therefore, a 
cryptographic pseudorandom generator can be used to obtain two vectors of t 
bits, q\ and q 2 . Then, a Miller-Rabin test can be applied for testing the primality 
or not of q\ and < 72 . We denote by n the product of q\ and < 72 , n = qi x < 72 , 
and by l the smallest positive integer such that p = l x n — 1. I is a prime 
number while p = 2 (mod 3). In order to find the private and public keys, we 
define a group H, which presents the points of the super-singular elliptic curve 
y 2 = x 3 + 1 defined over F p . It consists of p + 1 = n x l points, and thus has 
a subgroup of order n, we call it G. In another step, we compute g and u as 
two generators of G and h = (72 x u. Then, following m , the public key will be 
presented by (n, G, g, h) and the private key by q±. 

5.1.3 Encryption and Decryption 

After the private/public keys generation, we proceed now to the encryption and 
decryption phases: 

• Encryption: Assuming that our message space consists of integers in the 
set 0,1, ...,T, where T < q 2 , and m the (integer) message to encrypt. 
First, a random positive integer is picked from te interval [0, n — 1]. Then, 
the cypher-text is defined by 

C = mxg + rxh£G, 

in which + and x refer to the additive and multiplication laws defined 
previously. 

• Decryption: once the message C arrived to destination, to decrypt it, we 
use the private key <71 and the discrete logarithm of base q± x g as follows: 

m = l°9qix g qi x C 

5.2 Homomorphic Properties 

As we have mentioned before, our approach ensures easy encryption/decryption 
without any need of extra resources. This will be proved in the next section. 
Moreover, our approach supports homomorphic properties, which gives us the 
ability to execute operations on values even though they have been encrypted. 
Indeed, it allows N additions and one multiplication directly on cryptograms. 
As the product operation will not be used in the profile matching, we will not 
detail it in this section Addition aver cypher-texts are done as follows: let mi 
and 1712 be two messages and Ci, C 2 their cypher-text respectively. Then the 
sum of Ci and C 2 , let call C, is represented by C = Ci + C 2 + r x h where r 
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is an integer randomly chosen in [0,n — 1] and h = (72 x u as presented in the 
previous section. This sum operation guarantees that the decryption value of 
C is the sum m\ + m 2 . 

6 The modified version of BP Protocol 

We rewrite the protocol BP with our novel cryptosystem with E meaning the 
novel algorithm. 

1. A computes and sends Ea{s' 1 ) 1 ..., EA{s' n ) to B. 

2. B selects n random numbers r\ ,.... r n , and for every i £ he com¬ 

putes Ea{ — Ti) and add it with the Ea(s [) he received in the first step, 
thereby obtaining Ea (s' — ri). 

3. B generates a random permutation 7 rg and applies it to the sequence of 

Ea (s' — rj)’s computed in the previous step, obtaining a sequence of the 
form Ea(v[), EA{v' n ) that he sends to A. He also applies ttb to the 
sequence s'/ + rq,..., s" + r n , obtaining a sequence Note that 

the sequence v[ + v", ...,v' n + v" is a permuted version of S (permuted 
according to 7 Tb). 

4. A decrypts the n items Ea{v[), ...,EA{v' n ) received from B , obtaining the 
sequence v[, ...,v' n 

7 Performance Analysis 

The experimental results presented in m compare the performance comparison 
between RSA and ECC. For the same level of security, say level one, a device 
operating over RSA need a key of 472 bits while over ECC we need only a key 
of 46 bits. In [T2], authors give a performance analysis between a cryptosystem 
based on Composite Degree Residuosity Classes CDRC, which is the scheme 
that is proposed in the BP algorithm. First, RSA is better then CDRC in term 
of computational complexity. CDRC offer a security level equivalent to Class[n] 
while RSA is equivalent to i? 5 'A[n,F 4 ] and we have [T2] 

RSA[n, F 4 ] => Class[n] 

On the other hand, for the same key size, CDRC require 5120 elementary op¬ 
erations for encryption while RSA need only 17 operations. All those results 
prove the efficiency of ECC in term of performance. 


8 Conclusion and Future Work 

An homomorphic encryption scheme that enhances the performance of the 
FindU algorithm has been proposed in this document. Achieving the PL-3 


security level is the main open problem not yet resolved. In future work, homo¬ 
morphic encryption will be investigated in order to solve this issue. 
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